tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Williams" <ccwillia...@ntlworld.com>
Subject Re: SSL/Verisign Confusion
Date Sun, 07 Sep 2003 09:57:58 GMT
www.openssl.org is the website for OpenSSL.  It's an open source
implementation of SSL / TLS together with a tremendous amount of other stuff
(such as X.509, S/MIME, every cryptographic algorithm you ever heard of).
You can also use it to set up your own CA - it's not the easiest software to
use as it takes a terrific number of command line switches, but it's
probably more convenient than having to wait on Verisign and renew your
certificates every couple of weeks.

----- Original Message ----- 
From: "Adam Hardy" <ahardy.struts@cyberspaceroad.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Sunday, September 07, 2003 10:43 AM
Subject: Re: SSL/Verisign Confusion


> Hi Dave,
> how much does it cost at Verisign, and how long is it valid for? And is
> this 'openssl' you mentioned a free alternative?
>
> Adam
>
> On 09/06/2003 03:21 PM Dave Wood wrote:
> > FINALLY!
> >
> > I still don't know what I did wrong in the first place, but after
starting
> > over with VeriSign, all is well now.  I thought I'd share the (simple!)
> > steps I took to get SSL running using keytool/tomcat in case anyone else
> > might find this useful:
> >
> > # keytool -genkey -alias tomcat -keyalg RSA
> > [enter a password and all necessary information, then just <enter> at
next
> > password prompt]
> > # cp ~/.keystore ~/.keystore-backup
> > # keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> > [enter same password]
> > [give contents of certreq.csr to VeriSign and wait for response...]
> > [NOTE: when asked to select my server software, I chose "apache" since
they
> > didn't have Tomcat in their list...I don't know if this matters, but it
> > worked]
> > # keytool -import -trustcacerts -file intermediate.crt -alias root
> > [enter same password]
> > [NOTE: intermediate.crt is the file found here:
> > http://www.verisign.com/support/install/intermediate.html]
> > # keytool -import trustcacerts -file public.crt -alias tomcat
> > [enter same password]
> > [where public.crt is the certificate sent from VeriSign after they
complete
> > their approval process]
> > [finally, edit ...tomcat/conf/server.xml and enable the SSL connector
> > section, adding keystorePass="[password]"
> > as an attribute to the Factory tag]
> >
> > Hope this helps.
> >
> > Thanks to all who provided suggestions along the way.
> >
> > Dave
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 11:40 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Well, after all this, I just discovered that VeriSign will basically let
you
> > start over if it's within 30 days (which it is).  So, for now, I'm going
> > down this path.  Just talked to someone at V/S who said it would take
just a
> > couple hours.
> >
> > Oh, and I made a BACKUP of my new keystore file this time that now
contains
> > a single "keyEntry" with the alias "tomcat".  I try to avoid being
stupid in
> > the same way more than once! :)
> >
> > As for the programmatic approach, FWIW, I started down that path as
well,
> > but somehow I had no private key entry in the keystore (best I can
tell).
> > Still not sure how I got in that messed up state.
> >
> > Thanks,
> > Dave
> >
> > -----Original Message-----
> > From: Christopher Williams [mailto:ccwilliams3@ntlworld.com]
> > Sent: Friday, September 05, 2003 9:43 AM
> > To: Tomcat Users List
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Have you thought of manipulating the keystore programmatically?  Here's
what
> > you'd do:
> >
> > 1. Open your existing keystore
> > 2. Find the entry with your private key and (presumably) a temporary
> > self-signed certificate.
> > 3. Open the certificate you got from Versign.
> > 4. Change the certificate in your key entry to your Verisign
certificate.
> > 5. Save and close the keystore.
> >
> > OpenSSL doesn't understand most of the Java keystore formats, although
it
> > can manipulate PKCS#12 files which Keytool can handle.  If you download
the
> > BouncyCastle crypto provider, then you can use keytool to write PKCS#12
> > files as well.
> >
> > Also, if the person who originally posted the question doesn't feel up
to
> > monkeying around with the Keystore classes, I have some code that I can
> > adapt to stick your Verisign certificate in your keystore.  Get in touch
> > with me personally and I'll see what I can do.
> >
> > ----- Original Message -----
> > From: "Jay Garala" <jay@electrosoft-inc.com>
> > To: "'Tomcat Users List'" <tomcat-user@jakarta.apache.org>
> > Sent: Friday, September 05, 2003 3:36 PM
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > NOTE: You cannot export private key from keystore.
> >
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 10:32 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks.  With the exception of the openssl doc, I've been over these
quite a
> > bit.  The result is the problem I've mentioned where keytool says it
can't
> > import my certificate because the alias already exists.
> >
> > After some help I got last night, I think the question boils down to
this:
> >
> > * once I have extracted my private key from keytool (haven't done this
yet),
> > how do I take that key, the VeriSign intermediate certificate and my
public
> > key certificate and get them to play together.  I'm hoping the openssl
stuff
> > will take care of this, because keytool doesn't really seem to recognize
> > private keys as things that you can work with directly.
> >
> > Thanks again,
> > Dave
> >
> > -----Original Message-----
> > From: Jay Garala [mailto:jay@electrosoft-inc.com]
> > Sent: Friday, September 05, 2003 7:12 AM
> > To: 'Tomcat Users List'
> > Subject: RE: SSL/Verisign Confusion
> >
> >
> > Try the Java keytool help:
> >  http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html
> >
> > Tomcat how-to:
> >  http://jakarta.apache.org/tomcat/tomcat-4.1-doc/ssl-howto.html
> >
> > If you have OpenSSL:
> >  http://forum.java.sun.com/thread.jsp?forum=2&thread=4240
> >
> > Jay
> > -----Original Message-----
> > From: Dave Wood [mailto:dave@woodtopia.org]
> > Sent: Friday, September 05, 2003 1:04 AM
> > To: Tomcat Users List
> > Subject: RE: SSL/Verisign Confusion
> >
> > Thanks Bill.  I think this highlights something I'm really not
> > understanding...
> >
> > Didn't I generate an important "private key" somewhere along the line
that I
> > can't just regenerate if I blow away my keystore?  I assumed the
certificate
> > I got back from verisign would only work if I still had the original
private
> > key I generated before sending them my request.  Is that wrong?
> >
> > (I'll take a look at the link you sent...at first glance, it looks a
little
> > hard to follow, but hopefully not).
> >
> > Thanks again.
> >
> > Dave
> >
> > -----Original Message-----
> > From: news [mailto:news@sea.gmane.org]On Behalf Of Bill Barker
> > Sent: Thursday, September 04, 2003 11:06 PM
> > To: tomcat-user@jakarta.apache.org
> > Subject: Re: SSL/Verisign Confusion
> >
> >
> > Firstly, it looks like you should wipe you keystore and start again.  To
use
> > a VS cert with Tomcat, the two options I know are:
> > 1) Follow the instructions at http://www.comu.de/docs/tomcat_ssl.htm.
> > 2) Using openssl or otherwise, convert your cert+key to a pkcs12 file,
and
> > use that as your keystore (remember to set 'keystoreType="pkcs12"' on
the
> > Factory in server.xml).
> >
> >
> > "Dave Wood" <dave@woodtopia.org> wrote in message
> > news:EBEBKKMEAECJFOHFOLHLIELKCIAA.dave@woodtopia.org...
> >
> >>I'm having a problem getting an SSL certificate from Verisign working
> >>correctly.  I'm going to include everything I can think of that MIGHT be
a
> >>problem.  Unfortunately, there are a couple things I can't quite
remember
> >>for certain.  Here's the situation:
> >>
> >>1. I generated the initial key using an alias other than "tomcat" (we'll
> >>call it "company")
> >>2. I generated the CSR and sent it to verisign.  I still have this file.
> >>3. Verisign changed the company name during the verification process
(from
> >>an acronym to the full spelling of the name)
> >>4. I now have the certificate that they sent back after the validation
> >>process.
> >>5. One thing I can't account for is why when I see this:
> >>
> >>$ keytool -list
> >>
> >>Keystore type: jks
> >>Keystore provider: SUN
> >>
> >>Your keystore contains 4 entries: (...others removed...)
> >>
> >>company, Fri Aug 22 08:47:04 MDT 2003, trustedCertEntry,
> >>Certificate fingerprint (MD5):
> >>00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 (the numbers aren't
really
> >>0's)
> >>
> >>...I think I must have self-signed or something (I was doing a couple of
> >>these things and don't recall exactly), but I'm surprised to see
> >>"trustedCertEntry" here.
> >>
> >>The problem I'm having is this:
> >>
> >>$ keytool -import -trustcacerts -alias company -file public.crt
> >>Enter keystore password: xxx
> >>keytool error: java.lang.Exception: Certificate not imported, alias
> >><company> already exists
> >>
> >>(but I'm thinking it should be REPLACING this entry, so the fact that it
> >>exists shouldn't be a problem???)
> >>
> >>So, I have several questions:
> >>
> >>1. Am I hosed completely because I didn't use "tomcat" as the alias?
> >>2. How does the private key get stored exactly?  I assume that if I
delete
> >>the current entry for the "company" alias, I'll be losing the private
key,
> >>right?
> >>3. Can someone provide steps I should take to get this working given
what
> >
> > I
> >
> >>have said above.
> >>
> >>Thanks so much in advance.  Sorry to be so long-winded.
> >>
> >>-Dave
> >>---
> >>Outgoing mail is certified Virus Free.
> >>Checked by AVG anti-virus system (http://www.grisoft.com).
> >>Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> > ---
> > Incoming mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >
> >
>
> -- 
> struts 1.1 + tomcat 4.1.27 + java 1.4.2
> Linux 2.4.20 RH9
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>



Mime
View raw message